CVE-2025-24893

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 15.10.11 XWiki versions prior to 16.4.1 XWiki versions prior to 16.5.0RC1

Description XWiki Platform allows any guest user to perform arbitrary remote code execution through a request to the

SolrSearch

endpoint. This impacts the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability is due to improper handling of user-supplied input within the

SolrSearchMacros

component, specifically in the processing of RSS feeds. Attackers can exploit this flaw by sending a specially crafted request to the

/xwiki/bin/get/Main/SolrSearch

endpoint with a malicious payload embedded in the

text

parameter. The RondoDox botnet has been observed actively exploiting this vulnerability to deploy cryptocurrency miners and reverse shells. Numerous reports indicate widespread exploitation, with attackers leveraging the flaw for initial access and data exfiltration. The

SolrSearch

endpoint is vulnerable when the

media

parameter is set to

rss

. The payload is transmitted via a GET or POST request in the

text

parameter. The vulnerability allows execution of Groovy code, and potentially other scripting languages like Python.

Recommendations XWiki versions prior to 15.10.11: Upgrade to version 15.10.11 or later. XWiki versions prior to 16.4.1: Upgrade to version 16.4.1 or later. XWiki versions prior to 16.5.0RC1: Upgrade to version 16.5.0RC1 or later. As a workaround, edit line 955 in

Main.SolrSearchMacros

within

SolrSearchMacros.xml

to align with the

rawResponse

macro defined in

macros.vm#L2824

, setting the content type to

application/xml

.